A brand new variant of the Konfety Android malware emerged with a malformed ZIP construction together with different obfuscation strategies that permit it to evade evaluation and detection.
Konfety poses as a professional app, mimicking innocuous merchandise accessible on Google Play, however options not one of the promised performance.
The capabilities of the malware embrace redirecting customers to malicious websites, pushing undesirable app installs, and pretend browser notifications.
As an alternative, it fetches and renders hidden adverts utilizing the CaramelAds SDK and exfiltrates info similar to put in apps, community configuration, and system info.
Supply: Zimperium
Though Konfety is not a adware or RAT device, it consists of an encrypted secondary DEX file contained in the APK, which is decrypted and loaded at runtime, containing hidden providers declared within the AndroidManifest file.
This leaves the door open for putting in further modules dynamically, thus permitting the supply of extra harmful capabilities on present infections.
Evasion ways
Researchers at cellular safety platform Zimperium found and analyzed the most recent Konfety variant and report that the malware makes use of a number of strategies to obfuscate its actual nature and exercise.
Konfety methods victims into putting in it by copying the title and branding of professional apps can be found on Google Play and distributing it by means of third-party shops – a tactic that researchers at Human referred to as “evil twin” or “decoy twin.”
The operators of the malware are selling it on third-party app shops.
These marketplaces are sometimes the place customers search for “free” variants of premium apps as a result of they wish to keep away from Google monitoring, have an Android gadget that’s now not supported, or haven’t got entry to Google providers.
The dynamic code loading, the place the malicious logic is hidden in an encrypted DEX file that masses at runtime, is one other efficient obfuscation and evasion mechanism that Konfety employs.
One other unusual anti-analysis technique in Konfety is to control the APK recordsdata in a approach that confuses or breaks static evaluation and reverse engineering instruments.
First, the APK units the Common Objective Bit Flag to ‘bit 0,’ signaling that the file is encrypted, although it isn’t. This triggers false password prompts when making an attempt to examine the file, blocking or delaying entry to the APK’s contents.
Secondly, important recordsdata within the APK are declared utilizing BZIP compression (0x000C), which is not supported by evaluation instruments like APKTool and JADX, leading to a parsing failure.
Supply: Zimperium
In the meantime, Android ignores the declared methodology and falls again to default processing to take care of stability, permitting the malicious app to put in and run on the gadget with out concern.
After set up, Konfety hides its app icon and title and makes use of geofencing to alter habits in keeping with the sufferer’s area.
Compression-based obfuscation has been noticed up to now in Android malware, as highlighted in a Kaspersky report from April 2024 on SoumniBot malware.
In that case, SoumniBot declared an invalid compression methodology in AndroidManifest.xml, declared a faux file dimension and knowledge overlay, and confused evaluation instruments with very massive namespace strings.
It’s sometimes really helpful to keep away from putting in APK recordsdata from third-party Android app shops and solely belief software program from publishers you understand.
Whereas cloud assaults could also be rising extra refined, attackers nonetheless succeed with surprisingly easy methods.
Drawing from Wiz’s detections throughout 1000’s of organizations, this report reveals 8 key methods utilized by cloud-fluent risk actors.
